You are here: silicon.com > Software > Malware

Malware

Office at risk from bug trio

'Zero-day Wednesday' strikes again?

Tags: flaw, office, bug

Printer Friendly Email Story RSS

By Joris Evers

Published: 11 April 2007 08:52 GMT

A trio of what appear to be new, yet-to-be-patched flaws in Microsoft Office has surfaced, according to security researchers at McAfee.

The vulnerabilities were reported in online security forums on Monday, according to a posting on the McAfee Avert Labs blog. All but one of the flaws results in denial of service, meaning the application would crash, according to the blog post.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

Karthik Raman, a McAfee researcher wrote on the blog: "There is one heap-overflow flaw that might be exploited for code execution." Typically such flaws are exploited by tricking a targeted victim into opening a rigged Office document.

Microsoft is investigating the bug reports as well, a company representative said. The software behemoth is not aware of any attacks that exploit any of the issues at this time, the representative added.

Word of the flaws comes on the day Microsoft issued five security bulletins as part of its monthly patch cycle. It is still dealing with the aftermath of an emergency patch released last week

Raman wrote: "This is yet another time that zero-day flaws have been published around a Patch Tuesday, possibly to maximise the exposure to these flaws until the next month's Patch Tuesday."

Cyber crooks have found they can take advantage of Microsoft's security update cycle by timing new attacks right before or just after Patch Tuesday - the second Tuesday of each month when the software maker releases its fixes. Some security watchers have coined the term "zero-day Wednesday" to describe that strategy.

McAfee is still investigating the security vulnerabilities. They may not actually all be new, said Dave Marcus, security research and communications manager at the company. "Sometimes what people claim to be zero-days may in fact be related to something that's already known," he said.

Should the three Office bugs be new, the tally of zero-day vulnerabilities in the productivity suite waiting for a fix would jump to five. Microsoft did not deliver any patches for Office on Tuesday, despite two vulnerabilities in the software that have been previously disclosed, according to eEye Security's zero-day flaw tracker.

Redmond issued five security bulletins with fixes for eight flaws on Patch Tuesday, including a "critical" zero-day vulnerability in Windows which also affects Vista.

Joris Evers writes for CNET News.com

Add Comment Add comment  Printer Friendly Print story with   Email Story Email story  
In
Applications

Operating Systems

SOA/Web Services

Malware

Security Strategy


Related Links

Microsoft patches hasty patch

Microsoft in a fix over cursor patch

Microsoft to rush out cursor flaw fix

Windows at risk from fancy cursors

Windows has fewest security holes

Microsoft probing holes in Vista, IE 7

More flaws: Bugs hit Firefox, IE

Zero-day attack strikes Office

  1. Zones
  2. Management
  3. Networks
  4. Software
  5. IT Services
  6. Hardware
  1. Verticals
  2. Public Sector
  3. Financial Services
  4. Retail & Leisure

Clive Longbottom Windows 7: Not perfect - but ready for prime time Microsoft's latest OS fixes most of Vista's ills - but still has challenges ahead

Stephen Kleynhans Mind the details with Windows 7 Just because it might work better than Vista, it doesn't mean you can be sloppy

Phishers set their sights on corporate accounts

Tax-refund phishing scams hit an all-time high

First critical Windows 7 patches released

Online fraudsters enlist Trojans to run off with your money

Microsoft files lawsuits in malicious-ad crackdown


  • Jobs
Senior Software Engineer

McAfee offers in-depth protection-from the network core, to perimeter defence to complete desktop security-through two families of products.About the ...

Infrastructure Manager

Our unmatched security expertise, focus on manageability, and proven ability to successfully prevent attacks are the reasons why McAfee is the ...

Web Tester - Penetration Tester - Staffordshire West Midlands

Candidates must have thorough experience of web application penetration testing which include both knowledge and experience in Man in the Middle ...

Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.

Is Your Enterprise Architected for Tomorrow's Growth?

Improving IT service delivery through an integrated approach to software asset management...

TechRepublic Resource Guide: Software as a Service (SaaS) for Small and Midsize Businesses...

Download a Free Trial of SmartDraw: Learn why SmartDraw is the ideal alternative...

Martin Brokers cashes in on back-up swap

VocaLink makes virtualisation pay

Sony Pictures sets sights on best IT Oscar

Co-op Group kicks "server sprawl" into touch

Arts Council gets tech troubleshooting boost

Torex tech treats Thorntons to quicker sales

Stories from the web...


eBay's Skype sale gets green light

Join the silicon.com LinkedIn networking group

Windows 7: Over 200 per cent more popular than Vista

Bletchley Park's World War Two codebreakers in their own words

Europe: Brace yourself for a telecoms overhaul

BT offers free fibre to Glasgow businesses




Quick Sitemap Links: